Posted by LLXX @ 09-27-2005, 03:32 AM
And a few years ago we all thought it was impossible to generate MD5 collisions within a short amount of time. I predict that within the next few years MD5 will be as secure as CRC32 is today, with the speed of computer hardware increasing at its present rate.

What would really be interesting would be arbitary binary data that MD5'd to some 16-byte long ASCII message. However at the moment it is still nearly impossible to reverse MD5. All we can do is generate collisions quickly.

The method of generating the collisions is by "bit tunneling", and looks obscure at first but after a few days of pondering the ephiphany is reached and you'll probably be thinking "why didn't I think of that?" like I am right now... the technique is simply to adjust various bits in the data so that the changes cancel each other, resulting in the same hash. Finding those critical bits is where "tunneling" process is used.

While interesting, I think that implying that MD5 is as "broken" as CRC32 is a bit premature. It's possible - under some limited conditions to generate two files with the same MD5 hash.

However it's still not practical to, for any given file, generate another file that hashes to the same MD5 value.

i.e. you may not find it any easier to generate a file with the MD5 value "5ccd8b8c6e6ae27dd2ceb62a3d99343e" than you did before discovering this attack.

0xf001

May 23rd, 2007, 15:22

hi,

i follow the md5 attacks, too, over the years. i remember the demonstrations with the signatures of pdf files. the collisions are "just collisions", so the impact is only in some cases valuable/"useable"

i don't think md5 can be cracked "within the next years", but things like the collision attacks show that the effort is going somewhere and enable us things we didnt think they are possible, so ... i watch for further surprises ...

the links are _very_ good, thank you LLXX!

cheers, 0xf001

0xf001

May 25th, 2007, 18:42

hi,

i just looked the link up for completeness, as they are so nice documents :

How to Break MD5 and Other Hash Functions
Xiaoyun Wang and Hongbo Yu
http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf

Of course you can have more than 2 files with the same MD5, just generate multiple copies of the second collision block (which is generated randomly within certain constraints -- to satisfy the hash of the first).

gera

June 8th, 2007, 13:28

yes, that's one way. What I'm doing is different.

As the method allows for generating collisions on an arbitrary IV, what I do is take the MD5 of the first block and use that as IV to generate a collision. This way, generating 2 collisions give me 4 colliding files. In general, this can be chained, and the method gives 2^n colliding files generating n collisions.

At one point I had generated 128 chained collisions, what would gave me 2^128 colliding files. Of course I did not generate the 2^128 files, because I son't have enough storage

This scheme could be used to encode 128 bits of information, and all the different possibilities would have the same MD5. (for example, to leave messages somewhere where the integrity is checked using MD5)

gera

June 8th, 2007, 13:29

Quote:

[Originally Posted by Shub-nigurrath;66253]well, interested for sure. Post it or PM ..

specifically what do you want more info on?
if it's a general question, I may be able to give you some links to follow,
but I could try to answer a more specific question inline

LaBBa

June 1st, 2009, 00:46

is there a tool that on a given hash (md5) it can create a data that will result same hash ?

reverser

June 1st, 2009, 09:55

http://www.freerainbowtables.com/en/tables/md5/

dongs

June 2nd, 2009, 16:40

Quote:

[Originally Posted by LaBBa;80868]is there a tool that on a given hash (md5) it can create a data that will result same hash ?

That is known as a pre-image attack --- no attack is known for MD5 that would be faster than exhaustive search, i.e. about 2^127 tries.

However, in most cases there is extra information about how the hash was generated, e.g. derived from a password. Rainbow tables are useful in that case, or smart password bruteforcing (trying the most likely words/character combinations).